Teaser Brucon 2013 Hacking PDF Training
Aug. 15, 2013•0 likes•5,632 views
Download to read offline
Report
Recommended
More Related Content
Viewers also liked
Recently uploaded
Teaser Brucon 2013 Hacking PDF Training
- 1. Hacking PDF Training Brucon 2013 Gent didier@DidierStevensLabs.com
- 2. Didier Stevens Renowned Malicious PDF Expert Author Of Popular Free PDF Tools 30+ Years Of Hacking
- 3. 2 Days Training Day 1: PDF Language & Analysis Day 2: PDF Creation
- 4. Day 1: PDF Language Intro
- 5. Example of PDF Language Intro String obfuscation /JS (app.alert({cMsg: 'Hello from PDF JavaScript'});) /JS <61 70 70 2E 61 6C 65 72 74 28 7B 63 4D 73 67 3A 20 27 48 65 6C 6C 6F 20 66 72 6F 6D 20 50 44 46 20 4A 61 76 61 53 63 72 69 70 74 27 7D 29 3B>
- 6. Day 1: Simple Analysis Exercises 20 simple exercises with benign PDFs* Understanding malicious PDFs Getting familiar with PDF analysis tools: pdfid pdf-parser … *You also get my screencasts for these simple exercises
- 7. Day 1: Simple Analysis Exercises Example: extracting payload from PDF pdf-parser.py -s /EmbeddedFile ex013.pdf pdf-parser.py -o 8 -f -d file.exe ex013.pdf
- 8. Day 1: Complex Analysis Exercises The Real Deal Analyzing “in the wild” PDF malware 5+ exercises
- 9. Day 1: Complex Analysis Exercises Example: 3-The Obama Administration and the Middle East.pdf.zip Learn to find the exploit, extract the shellcode and analyze it with shellcode simulator
- 10. Day 2: PDF Creation A full day learning how to create PDFs “For Fun and Profit” with Python tools
- 11. Day 2: PDF Creation You receive my Private PDF Creation Tools
- 12. Day 2: PDF Creation Receive private mPDF module + documentation Create New PDFs Modify Existing PDFs All from Python, no Adobe products required
- 13. Day 2: PDF Creation Receive many private PDF creation & modification tools Example: t-modify-pdf-incremental-update.py Learn to modify Mandiant_APT1_Report.pdf
- 14. Day 2: PDF Creation Example: PDF fuzzer to find vulnerabilities in PDF readers Smart Fuzzing of JPEG embedded in PDF
- 15. Creation Exercises Learn how to use my private shellcode for PDFs
- 16. Day 2: PDF Creation Learn how to bypass AV and IDS detection with PDF obfuscation
- 17. Day 2: PDF Creation Learn the internal details of my /Launch exploit and use the automated creation tool
- 18. Summary Learn how to analyze and create PDFs in 2 days from a malicious pdf expert Receive many of my private, unreleased tools No need to be a Python expert, just have basic skills to modify a Python script No shellcode skills needed
Editor's Notes
- Check each exercise PDF document with PDFiD and pdf-parser Password for encrypted ZIP files: infected ex001.pdf plain text PDF document without JavaScript pdf-parser.py ex001.pdf ex002.pdf PDF document without JavaScript, text is compressed (FlateDecode) pdf-parser.py -o 5 -f ex002.pdf ex003.pdf PDF document without JavaScript, text is compressed (FlateDecode & ASCIIHexDecode) pdf-parser.py -o 5 -f ex003.pdf ex004.pdf PDF document with JavaScript, without action pdf-parser.py -o 7 ex004.pdf ex005.pdf PDF document with JavaScript, with open action pdf-parser.py -o 7 ex005.pdf ex006.pdf PDF document with JavaScript, with open action, JavaScript is compressed pdf-parser.py -o 8 -f ex006.pdf ex007.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated and compressed pdf-parser.py -o 8 -f ex007.pdf ex008.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated and compressed pdf-parser.py -o 8 -f ex008.pdf ex009.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated via annotation and compressed pdf-parser.py -o 9 -f ex009.pdf ex010.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated via object stream pdf-parser.py -o 1 -f ex010.pdf ex011.pdf PDF document with JavaScript, with open action, JavaScript triggers util.printf bug pdf-parser.py -o 7 ex011.pdf ex012.pdf PDF document with JavaScript, with open action, JavaScript executes heap spray and triggers util.printf bug pdf-parser.py -o 7 ex012.pdf ex013.pdf PDF document with embedded file pdf-parser.py -o 8 -f -d file.exe ex013.pdf ex014.pdf Malformed PDF document with file appended at the end pdf-parser.py -x file.exe ex014.pdf ex015.pdf PDF document with JavaScript in AcroForm pdf-parser.py -o 8 -f ex015.pdf ex016.pdf PDF document with metadata XML-bomb (small), trigger with JavaScript pdf-parser.py -o 7 -f ex016.pdf ex017.pdf PDF document with JavaScript, with open action, JavaScript switchs to full screen pdf-parser.py -o 7 ex017.pdf secret.pdf PDF document with /Launch action and embedded executable pdf-parser.py -o 7 secret.pdf ex019.pdf PDF document with JavaScript, with open action, PDF document is encrypted with owner password qpdf --decrypt ex019.pdf ex019-decrypted.pdf pdf-parser.py -o 2 ex019-decrypted.pdf ex020.pdf PDF document with JavaScript, with open action, PDF document is encrypted with user password (password is secret) qpdf --decrypt --password=secret ex020.pdf ex020-decrypted.pdf pdf-parser.py -o 2 ex020-decrypted.pdf
- Check each exercise PDF document with PDFiD and pdf-parser Password for encrypted ZIP files: infected ex001.pdf plain text PDF document without JavaScript pdf-parser.py ex001.pdf ex002.pdf PDF document without JavaScript, text is compressed (FlateDecode) pdf-parser.py -o 5 -f ex002.pdf ex003.pdf PDF document without JavaScript, text is compressed (FlateDecode & ASCIIHexDecode) pdf-parser.py -o 5 -f ex003.pdf ex004.pdf PDF document with JavaScript, without action pdf-parser.py -o 7 ex004.pdf ex005.pdf PDF document with JavaScript, with open action pdf-parser.py -o 7 ex005.pdf ex006.pdf PDF document with JavaScript, with open action, JavaScript is compressed pdf-parser.py -o 8 -f ex006.pdf ex007.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated and compressed pdf-parser.py -o 8 -f ex007.pdf ex008.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated and compressed pdf-parser.py -o 8 -f ex008.pdf ex009.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated via annotation and compressed pdf-parser.py -o 9 -f ex009.pdf ex010.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated via object stream pdf-parser.py -o 1 -f ex010.pdf ex011.pdf PDF document with JavaScript, with open action, JavaScript triggers util.printf bug pdf-parser.py -o 7 ex011.pdf ex012.pdf PDF document with JavaScript, with open action, JavaScript executes heap spray and triggers util.printf bug pdf-parser.py -o 7 ex012.pdf ex013.pdf PDF document with embedded file pdf-parser.py -o 8 -f -d file.exe ex013.pdf ex014.pdf Malformed PDF document with file appended at the end pdf-parser.py -x file.exe ex014.pdf ex015.pdf PDF document with JavaScript in AcroForm pdf-parser.py -o 8 -f ex015.pdf ex016.pdf PDF document with metadata XML-bomb (small), trigger with JavaScript pdf-parser.py -o 7 -f ex016.pdf ex017.pdf PDF document with JavaScript, with open action, JavaScript switchs to full screen pdf-parser.py -o 7 ex017.pdf secret.pdf PDF document with /Launch action and embedded executable pdf-parser.py -o 7 secret.pdf ex019.pdf PDF document with JavaScript, with open action, PDF document is encrypted with owner password qpdf --decrypt ex019.pdf ex019-decrypted.pdf pdf-parser.py -o 2 ex019-decrypted.pdf ex020.pdf PDF document with JavaScript, with open action, PDF document is encrypted with user password (password is secret) qpdf --decrypt --password=secret ex020.pdf ex020-decrypted.pdf pdf-parser.py -o 2 ex020-decrypted.pdf
- Check each exercise PDF document with PDFiD and pdf-parser Password for encrypted ZIP files: infected ex001.pdf plain text PDF document without JavaScript pdf-parser.py ex001.pdf ex002.pdf PDF document without JavaScript, text is compressed (FlateDecode) pdf-parser.py -o 5 -f ex002.pdf ex003.pdf PDF document without JavaScript, text is compressed (FlateDecode & ASCIIHexDecode) pdf-parser.py -o 5 -f ex003.pdf ex004.pdf PDF document with JavaScript, without action pdf-parser.py -o 7 ex004.pdf ex005.pdf PDF document with JavaScript, with open action pdf-parser.py -o 7 ex005.pdf ex006.pdf PDF document with JavaScript, with open action, JavaScript is compressed pdf-parser.py -o 8 -f ex006.pdf ex007.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated and compressed pdf-parser.py -o 8 -f ex007.pdf ex008.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated and compressed pdf-parser.py -o 8 -f ex008.pdf ex009.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated via annotation and compressed pdf-parser.py -o 9 -f ex009.pdf ex010.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated via object stream pdf-parser.py -o 1 -f ex010.pdf ex011.pdf PDF document with JavaScript, with open action, JavaScript triggers util.printf bug pdf-parser.py -o 7 ex011.pdf ex012.pdf PDF document with JavaScript, with open action, JavaScript executes heap spray and triggers util.printf bug pdf-parser.py -o 7 ex012.pdf ex013.pdf PDF document with embedded file pdf-parser.py -o 8 -f -d file.exe ex013.pdf ex014.pdf Malformed PDF document with file appended at the end pdf-parser.py -x file.exe ex014.pdf ex015.pdf PDF document with JavaScript in AcroForm pdf-parser.py -o 8 -f ex015.pdf ex016.pdf PDF document with metadata XML-bomb (small), trigger with JavaScript pdf-parser.py -o 7 -f ex016.pdf ex017.pdf PDF document with JavaScript, with open action, JavaScript switchs to full screen pdf-parser.py -o 7 ex017.pdf secret.pdf PDF document with /Launch action and embedded executable pdf-parser.py -o 7 secret.pdf ex019.pdf PDF document with JavaScript, with open action, PDF document is encrypted with owner password qpdf --decrypt ex019.pdf ex019-decrypted.pdf pdf-parser.py -o 2 ex019-decrypted.pdf ex020.pdf PDF document with JavaScript, with open action, PDF document is encrypted with user password (password is secret) qpdf --decrypt --password=secret ex020.pdf ex020-decrypted.pdf pdf-parser.py -o 2 ex020-decrypted.pdf